HTML tag can not filter XSS
MyKings opened this issue · comments
MyKings commented
Input text box, enter the following:
http://www.example.com/<script>alert(document.cookie)</script>
Here is the test code, click preview trigger : )
<!DOCTYPE html>
<head>
<meta charset="UTF-8">
<title>editor</title>
</head>
<link href="/static/css/bootstrap.min.css" rel="stylesheet">
<link href="/static/css/bootstrap-markdown-editor.css" rel="stylesheet">
<script src="/static/js/jquery-1.7.2.min.js"></script>
<script src="/static/js/bootstrap.min.js"></script>
<script src="/static/js/ace.js"></script>
<script src="/static/js/bootstrap-markdown-editor.js"></script>
<body>
<div id="myEditor" name="myEditor">http://www.example.com/<script>alert(document.cookie)</script></div>
<script language="javascript">
$('#myEditor').markdownEditor({
preview: true,
onPreview: function (content, callback) {
$('#myEditor').html(content);
}
});
</script>
</body>
</html>
Ignacio de Tomás commented
It depends of the markdown parser. The example in this repository uses the javascript library Marked to parse the markdown to html only as demonstration.
You should use a server-side parser with the filters you need.